PT-2024-1246 · Microsoft+6 · Identity+6
Morgan Brown
·
Published
2024-01-09
·
Updated
2024-12-13
·
CVE-2024-21319
CVSS v3.1
6.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Microsoft Identity versions prior to 5.7.0
Microsoft Identity versions prior to 6.34.0
Microsoft Identity versions prior to 7.1.2
Description
The issue is related to incorrect clearing or release of resources in the Microsoft Identity library for the .NET platform. An attacker could exploit this by crafting a malicious JSON Web Encryption (JWE) token with a high compression ratio, leading to excessive memory allocation and processing time during decompression, causing a denial-of-service (DoS) condition. The attacker must have access to the public encrypt key registered with the IDP (Entra ID) for successful exploitation.
Recommendations
For versions prior to 5.7.0, update to version 5.7.0 or higher.
For versions prior to 6.34.0, update to version 6.34.0 or higher.
For versions prior to 7.1.2, update to version 7.1.2 or higher.
Fix
DoS
Improper Resource Release
RCE
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Centos
Linuxmint
Identity
Red Hat
Ubuntu